CN107302428A - The machinery of consultation of the cryptographic algorithm of data transport services in a kind of power distribution network - Google Patents
The machinery of consultation of the cryptographic algorithm of data transport services in a kind of power distribution network Download PDFInfo
- Publication number
- CN107302428A CN107302428A CN201710385174.8A CN201710385174A CN107302428A CN 107302428 A CN107302428 A CN 107302428A CN 201710385174 A CN201710385174 A CN 201710385174A CN 107302428 A CN107302428 A CN 107302428A
- Authority
- CN
- China
- Prior art keywords
- cryptographic algorithm
- algorithm
- security label
- consultation
- machinery
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a kind of machinery of consultation of the cryptographic algorithm of data transport services in power distribution network, it is characterized in that, the machinery of consultation includes service security label of the negotiations process of cryptographic algorithm between network node in service security label, algorithm security label and two kinds of match patterns, power distribution network entirely by reference to current data transmission business.The machinery of consultation of the present invention avoids the safety problem matched in legacy network security protocol with weak password external member caused by client password algorithm priority.Two kinds of match patterns of the present invention consider not only the Rapid matching requirement of new distribution equipment, while have also contemplated that the compatible matching demand of old equipment, efficiently solve the transition problem of cryptographic algorithm in power distribution network to the close algorithm standard rules of state.
Description
Technical field
This invention relates generally to the smart grid security communications field, relate more specifically to data in a kind of power distribution network and transmit
The machinery of consultation of the cryptographic algorithm of business.
Background technology
With the fast development of national economic development, power automatic system is used widely.With distribution network control
The distribution terminal of function processed is largely scattered to be deployed in distribution network.It is whole to each distribution that distribution main website sends instruction by front end processor
The remote management of the modes such as remote measurement, remote signalling, remote control is realized at end, it is achieved thereby that the control to distribution network.In recent years, with net
Network, it is information-based deepen continuously, the requirement more and more higher to distribution terminal secure communication.The major measure taken at present has:
The front end processor of main website side is configured with the Digital Signature module based on asymmetric cryptographic algorithm, to control command and parameter setting instruction
Signature operation is carried out, is differentiated and message integrity protection with the identity for realizing substation or terminal-pair main website;To important substation or end
The communication at end can use two-way authentication, realize that the bidirectional identification of main website and substation or terminal room differentiates;Main website, substation and
Terminal is configured with the data encryption module based on symmetric cryptographic algorithm, to realize the Confidentiality protection to message.
However, distribution terminal deployed at present not yet uses unified cryptographic algorithm standard, some terminals still exist
Using some unsafe cryptographic algorithms, the old terminal having is even without DEA.And use state on power distribution network
The cry of family's commercial cipher standard grows to even greater heights, and the use of cryptographic algorithm is also gradually to the close algorithm mark of state in current power distribution network
Quasi- transition.During cryptographic algorithm negotiation is carried out, the problem of new distribution device password algorithm fast-negotiation should be considered,
It is also required to consider the compatibility issue that old controller switching equipment cryptographic algorithm is consulted.
In addition, power distribution network is widely used traditional network security protocol such as SSL, it is characterized in client password external member
Priority hold consultation, for the distribution terminal that current security configuration is poor, weak password external member is easily utilized by hacker
Leak carries out network attack.And process of distributing electricity often relates to different business, such as control command transmission business, parameter configuration industry
Business, data forwarding business etc., demand for security and efficiency requirements of these different types of business to data also have difference.So straight
The password that female connector can not meet service-oriented in power distribution network with the cryptographic algorithm matching way in traditional network security protocol is calculated
Method consults demand.
The content of the invention
The invention provides a kind of machinery of consultation of the cryptographic algorithm of data transport services in power distribution network, it is intended to solves current
Depend on the matching problem of the weak password external member caused by client first level in distribution network system unduly, it is and close in controller switching equipment
Code Rapid matching problem from algorithm to the novel device cryptographic algorithm under the close algorithm standard rules transition situation of state and old device password
The compatible matching problem of algorithm.
The machinery of consultation of the cryptographic algorithm of data transport services in power distribution network provided by the present invention, it includes following step
Suddenly:
Step 1:The negotiation that data transmitting node sends cryptographic algorithm to data reception node is asked;
Step 2:The data reception node sends its cryptographic algorithm set S2 supported to the data transmitting node;
Step 3:The cryptographic algorithm set S1 that the data transmitting node is supported it seeks common ground to obtain with set S2
Set S;
Step 4:The data transmitting node obtains the service security label that current data transmits business, the service security
Label includes multiple flag bits;
Step 5:The data transmitting node judges whether set S meets the first flag bit in the service security label
Requirement, if be unsatisfactory for require, that is, stop consult, otherwise into step 6;
Step 6:The data transmitting node obtains the algorithm security label of each cryptographic algorithm in set S, selects first
Mode standard, under the mode standard, according to the priority orders of multiple flag bits in the service security label to set S
In cryptographic algorithm screened one by one, obtain matches criteria result, whether then judge the matches criteria result is empty set,
If not empty set, then take out cryptographic algorithm therein as the cryptographic algorithm finally consulted, and be transferred to step 8;Otherwise, record sieve
Select daily record and enter step 7, start further matching;
Step 7:The data transmitting node is switched to compatibility mode, under the compatibility mode, the sieve according to step 6
Daily record is selected, the numerical value of the flag bit of the service security label is reduced, and updates the service security label, and according to the mark
The screening mode of quasi-mode starts further screening, until the cryptographic algorithm finally consulted, and is transferred to step 8;
Step 8:The cryptographic algorithm finally consulted is sent to the data reception node by the data transmitting node,
Negotiation terminates.
Preferably, the service security label designates demand for security of the business to cryptographic algorithm, and its form is
IsEmpty | and isNationalCrypt | securityLevel | isEfficiencyPriority }, wherein, isEmpty is institute
State the first flag bit and represent whether the business at least needs a cryptographic algorithm, isNationalCrypt is the second flag bit
And representing whether the business has demand to the close algorithm standard rules of state, securityLevel is the 3rd flag bit and represents the business
Safe class needed for cryptographic algorithm, isEfficiencyPriority is the 4th flag bit and represents whether the business is preferentially examined
Consider efficiency of algorithm, isEmpty, isNationalCrypt, securityLevel and isEfficiencyPriority's is preferential
Level is successively decreased successively.
Preferably, isEmpty, isNationalCrypt and isEfficiencyPriority are respectively using 0 or 1
Represent, securityLevel carries out safety status classification using the span of key length.
Preferably, in steps of 5, when isEmpty=1 and set S are empty set, then it is unsatisfactory for the requirement.
Preferably, the algorithm security label designates the security attribute of the cryptographic algorithm, and its form is { is_
National_crypt | security_level | efficiency_level }, wherein, is_national_crypt is the 5th
Flag bit and represent whether the cryptographic algorithm is the close algorithm of state, security_level is the 6th flag bit and represents that the password is calculated
The safe class of method, efficiency_level is the 7th flag bit and represents the level of efficiency of the cryptographic algorithm.
Preferably, is_national_crypt is represented using 0 or 1, and security_level uses key length
Span carries out safety status classification, and efficiency_level performs speed using the cryptographic algorithm of authority's evaluation and test mechanism
Span define.
Preferably, under the mode standard, screening rule is according to multiple flag bits in the service security label
Priority orders matched, the algorithm security label of the cryptographic algorithm in set S is passed through to set S first
The sieve set that isNationalCrypt screenings are met the close algorithm standard rules of state is crossed, judges whether the sieve set is empty
Collection, if not empty set, into the screening of next stage, otherwise records the screening daily record and be transferred to the compatibility mode;Then
Screen the safe class bar for being met the service security label requirement by securityLevel again to described one sieve set
Two sieve set of part, then judge whether the two sieves set is empty set, if not empty set, no into the screening of next stage
Then record the screening daily record and be transferred to the compatibility mode;As isEfficiencyPriority=1, then sieved to described two
Cryptographic algorithm in set is ranked up by efficiency levels, and the highest-ranking algorithm of efficiency of selection is calculated as the password finally consulted
Method;As isEfficiencyPriority=0, then a kind of cryptographic algorithm is randomly choosed as final from described two sieve set
The cryptographic algorithm of negotiation.
Preferably, under the compatibility mode, the data transmitting node is first determined whether described according to the screening daily record
Whether one sieve set is empty set, if empty set, illustrates that the condition of isNationalCrypt flag bit defineds is too strong, then will
IsNationalCrypt is set to 0, and updates the service security label, according still further to the mode standard screening mode to collection
S is closed to screen again.If the sieve set is not empty set, and the two sieves collection is combined into empty set, illustrates that securityLevel is marked
The condition of will position defined is too strong, then securityLevel is reduced into a rank, and updates the service security label, then
Described one sieve set is screened using the screening mode of the mode standard, untill described two sieve set non-NULLs;Most
Afterwards, last screening is done to described two sieve set further according to isEfficiencyPriority flag bits, so as to finally be assisted
The cryptographic algorithm of business.
The beneficial effects of the present invention are:
1st, according to the machinery of consultation of the cryptographic algorithm of data transport services in the power distribution network of the present invention, the standard of negotiation depends on
In security requirement of the current business to data to be sent, the cryptographic algorithm priority with communication node itself is unrelated, can be effective
Prevent hacker using the network attack caused by the weak password external member leak of communication node;
2nd, can be according to treating the invention provides two kinds of cryptographic algorithm match patterns, i.e. mode standard and compatibility mode
Matching result with cryptographic algorithm set flexibly switches match pattern, both ensure that quick of new distribution device password algorithm
With demand, the compatible matching demand to old controller switching equipment cryptographic algorithm has also been taken into full account, it is easy to accomplish to the close algorithm of state
The transition of standard;
3rd, the flag bit (or parameter) in service security label provided by the present invention can be set according to specific network
Standby situation, is flexibly set by administrative staff, is easy to the upgrade maintenance of controller switching equipment.
Brief description of the drawings
Fig. 1 is the overall procedure of the machinery of consultation of the cryptographic algorithm of data transport services in the power distribution network according to the present invention
Figure.
Fig. 2 is the flow chart of cryptographic algorithm matching process under mode standard.
Fig. 3 is the flow chart of cryptographic algorithm matching process under compatibility mode.
Embodiment
For the object, technical solutions and advantages of the present invention are more clearly understood, below in conjunction with specific embodiments and the drawings,
The present invention is described in further detail.
Cryptographic algorithm negotiations process involved by control command transmission business using distribution main website to distribution terminal below as
The present invention is described in detail in embodiment.Before the embodiment of the description present invention, some preparations will be done first, so that related
Concept is more specific, clear.
The control command transmission business includes two subservices, that is, subservice of signing and encryption subservice, correspondingly, institute
Stating the service security label of control command transmission business includes two parts:The service security label and encryption for subservice of signing
The service security label of business, its data format be isEmpty | isNationalCrypt | securityLevel |
isEfficiencyPriority}.Wherein, isEmpty is to represent whether current business at least needs the mark of a cryptographic algorithm
Will position, for judging whether the common factor of distribution main website and distribution terminal cryptographic algorithm is empty set, if desired, then isEmpty is set to
1, it is otherwise 0;IsNationalCrypt is to represent whether current business is required as the flag bit of state's Data Encryption Standard algorithm, if desired,
Then isNationalCrypt is set to 1, is otherwise 0;SecurityLevel is the mark for the level of security demand for representing current business
Will position, can use the key length scope of cryptographic algorithm to represent.For DEA, its key length is equal to its point
Group length;For Digital Signature Algorithm, its key length is slightly complicated, has relation with specific cipher system and modulus, for example,
The ECC of the RSA of 1024 bits level of security and 160 bits is suitable, in consideration of it, authority's evaluation and test mechanism can be used on numeral
The evaluating standard of signature algorithm carries out the division of safe class.IsEfficiencyPriority is whether to represent cryptographic algorithm
The flag bit of efficiency comes first is needed, if desired, then isEfficiencyPriority is set to 1, it is otherwise 0.
For example, for Digital Signature Algorithm, level of security is set into 4 according to key length (relative to ECC algorithm)
Rank:Key length is 0 grade in 0-60 bits, and key length is 1 grade in 60-120 bits, and key length is in 120-160 ratios
Specially for 2 grades, key length is 3 grades more than 160 bits.Might as well be 4 levels by safety status classification for DEA
Not, key length is 0 grade in 0-40 bits, and key length is 1 grade in 40-80 bits, and key length is 2 in 80-120 bits
Level, key length is 3 grades more than 120 bits.It should be noted that only roughly giving a safety status classification here
Example, in actual use, can be as needed using mark of the authority evaluation and test mechanism on cryptographic algorithm safety status classification
It is accurate.
Business is transmitted, it is necessary to which distribution terminal is tested the control command from distribution main website for the control command
Card, will also ensure the confidentiality of message in transmitting procedure, so, according to above-mentioned definition mode, the business peace of signature subservice
The isEmpty flag bits of full label and the service security label for encrypting subservice should all be set to 1;It is excellent to consider the close algorithm standard rules of state
First level, can be by the service security label for subservice of signing and the service security label of encryption subservice
IsNationalCrypt flag bits are all set to 1;The recommendation key length of current ECC signature algorithms is at least 160 bits, data
The recommendation key length of AES is 128 bits, therefore, it can the service security label for subservice of signing and encrypts sub- industry
The securityLevel flag bits of the service security label of business are disposed as 3;For the real-time of the transmission of distribution control command
It is required that it is higher, can be by the service security label for subservice of signing and the service security label of encryption subservice
IsEfficiencyPriority flag bits are all set to 1.So, the service security label of the control command transmission business is with regard to structure
Make and complete, wherein signature subservice service security label for 1 | 1 | 3 | 1, encryption subservice service security label be { 1
| 1 | 3 | 1 }, thus the service security label of control command transmission business for 1 | 1 | 3 | 1 & 1 | 1 | 3 | 1, it is and described two
Memory space shared by the service security label of subservice is 5 bits.
Correspondingly, each cryptographic algorithm supported of distribution main website and distribution terminal corresponds to an algorithm security mark
Label, the algorithm security label includes three flag bits, indicates the security attribute of the cryptographic algorithm, i.e. { is_national_
Crypt | security_level | efficiency_level }, wherein, is_national_crypt is to represent the cryptographic algorithm
Whether be the close algorithm of state flag bit, security_level is the flag bit for the safe class for representing the cryptographic algorithm, can be with
Defined using defined above by the span of key length.Efficiency_level is the effect for representing the cryptographic algorithm
The flag bit of rate grade, is weighed using the execution speed of cryptographic algorithm, may be referred to relevant authority evaluation and test mechanism and password is calculated
The evaluation and test data that method performs speed divide come the efficiency levels to cryptographic algorithm.In order to provide an intuitively example, no
Efficiency_level is set to 4 ranks by harm, i.e., and 0,1,2,3, its numerical value is bigger, and represent the cryptographic algorithm performs speed
Degree is faster.For example, known according to the definition in above-mentioned example on the close algorithm standard rules condition of state and cryptographic algorithm safe class,
AES-128 is not the close algorithm of state, and its level of security is 3, might as well set its efficiency levels as 2, then AES-128 algorithm security label
For 0 | and 3 | 2 }.And for example SM4 is the close algorithm of state, and its level of security is 3, might as well set its efficiency levels as 3, then SM4 algorithm security
Label is { 1 | 3 | 3 }.Memory space shared by the algorithm security label of above-mentioned two cryptographic algorithm is 5 bits.
For convenience, without loss of generality, according to above-mentioned definition mode, it is assumed that the business peace of the control command transmission business
Full label for 1 | 1 | 3 | 1 & 1 | 1 | 3 | 1, and distribution main website (hereinafter referred to as " main website ") supports cryptographic algorithms all at present,
And the signature algorithm collection that a certain distribution terminal (hereinafter referred to as " terminal ") is supported be combined into SS21=SA1, SA2, SA3, SA4,
SA5 }, algorithm set SS22={ EA1, EA2, EA3, EA4, EA5 }, the algorithm security mark in SS21 corresponding to cryptographic algorithm
Label are as shown in table 1, and the algorithm security label in SS22 corresponding to cryptographic algorithm is as shown in table 2:
Table 1
| Signature algorithm identifier | The algorithm security label of signature algorithm |
| SA1 | {0|1|3} |
| SA2 | {0|2|3} |
| SA3 | {1|2|3} |
| SA4 | {1|3|2} |
| SA5 | {1|3 1} |
Table 2
| Encryption algorithm identification | The algorithm security label of AES |
| EA1 | {0|1|3} |
| EA2 | {0|1|2} |
| EA3 | {0|2|2} |
| EA4 | {0|2|1} |
| EA5 | {0|2|3} |
Preparation is finished, and 1,2 and 3 transmits industry to describe data in the power distribution network according to the present invention below with reference to accompanying drawings
One embodiment of the machinery of consultation of the cryptographic algorithm of business, the machinery of consultation comprises the following steps:
Step 1:The main website sends cryptographic algorithm to the terminal to be consulted to ask;
Step 2:The terminal sends its cryptographic algorithm list supported, including signature algorithm set to the main website
SS21={ SA1, SA2, SA3, SA4, SA5 } and algorithm set SS22={ EA1, EA2, EA3, EA4, EA5 };
Step 3:Signature algorithm set SS11 that the main website is supported it and algorithm set SS12 respectively with
SS21 and SS22 seek common ground, and obtain SS1 and SS2, as it is assumed that the main website supports all cryptographic algorithms, so SS1=SS21,
SS2=SS22;
Step 4:The main website obtain the control command transmission business service security label 1 | 1 | 3 | 1 & 1 | 1 | 3 |
1};
Step 5:The main website first determines whether whether SS1 and SS2 meets the isEmpty flag bits of the service security label
It is required that.Due to the business need signature algorithm and AES all at least one, and SS1 and SS2 are not empty sets, therefore are met
It is required that, then into step 6;
Step 6:The main website selects the mode standard to be matched first, according to isNationalCrypt flag bits
To decide whether to regard the close algorithm standard rules of state as screening conditions.After the screening conditions of the close algorithm standard rules of state of enforcement, further according to
SecurityLevel flag bits are screened to the safe class of cryptographic algorithm, finally further according to
The value of isEfficiencyPriority flag bits decides whether to be ranked up cryptographic algorithm by the level of efficiency of cryptographic algorithm
With efficiency of selection highest cryptographic algorithm.
For the control command transmit business, its sign subservice service security label for 1 | 1 | 3 | 1, represent should
Subservice needs state's Data Encryption Standard algorithm, and safe class Minimum requirements are 3, and require to pay the utmost attention to cryptographic algorithm efficiency.It is then right
In signature algorithm set SS1 to be matched, according to the algorithm security label of cryptographic algorithm in set SS1, set SS1 is passed through
IsNationalCrypt screenings obtain a sieve set { SA3, SA4, SA5 }, the set non-NULL, then described one sieve is gathered
The two sieve set { SA4, SA5 }, the set also non-NULL, by cryptographic algorithm efficiency are obtained by securityLevel screenings
After sequence, it is known that SA4 level of efficiency highest, therefore the matches criteria result { SA4 } obtained by the mode standard
It is not empty set, it is not necessary to enter compatibility mode, therefore SA4 is as the Digital Signature Algorithm finally consulted and is transferred to step 8 for selection.
On the other hand, for encrypt subservice service security label for 1 | 1 | 3 | 1, represent that the subservice needs state close
Algorithm standard rules, safe class Minimum requirements are 3, and require that cryptographic algorithm efficiency is paid the utmost attention in consideration.Add for be matched
Close algorithm set SS2, according to the algorithm security label of cryptographic algorithm in set SS2, passes through to set SS2
The sieve collection that isNationalCrypt screenings are obtained is combined into empty set, it is known that the terminal does not support the close algorithm standard rules of state, because
This needs relaxes the requirement on the close algorithm standard rules of state, that is, is switched to the compatibility mode, therefore record the screening daily record and turn
Enter step 7.
Step 7:The main website is switched to the compatibility mode, and the inquiry screening daily record is to judge the sieve set
No is empty set, if empty set, then isNationalCrypt is set into 0, described will encrypt subservice safety label and be updated to
1 | and 0 | 3 | 1 }, and set SS2 is screened again according to the screening mode of the mode standard, then the sieve set is updated to
{ EA1, EA2, EA3, EA4, EA5 }, then obtains two sieve by securityLevel screenings to described one sieve set and collects
Close, the two sieves set is also empty set, illustrates that safe class requires too high, safe class need to be reduced into a rank, Ji Jiangsuo
State encryption subservice service security tag update for 1 | 0 | 2 | 1, then to described one sieve set by update after
SecurityLevel conditions are screened again obtains the two sieve set { EA3, EA4, EA5 }, eventually passes cryptographic algorithm efficiency row
Know after sequence, EA5 level of efficiency highest, then the DEA EA5 finally consulted is simultaneously transferred to step 8;
Step 8:The main website merges the above-mentioned Digital Signature Algorithm SA4 finally consulted and DEA EA5
To { SA4, EA5 } and the terminal is sent to, consults to terminate.
The machinery of consultation of the cryptographic algorithm of data transport services in power distribution network provided by the present invention, each item data transmission
Business all corresponds to a service security label, and each cryptographic algorithm to be matched corresponds to an algorithm security label.This hair
It is local that the bright described service security label and algorithm security label can be preset at equipment, it is not necessary to on-line normalization.
The present invention devises two kinds of match patterns:Mode standard and compatibility mode.The mode standard is by the business
Safety label is as the strict match pattern of cryptographic algorithm screening conditions, and the flag bit in the service security label, which is defined, to be treated
The minimum standard that the cryptographic algorithm of matching should reach, during matching need to according to the service security label priority orders one by one
Screen to select optimal algorithm.When the compatibility mode is that matching result is empty set under the mode standard, according to described
The screening log information that mode standard is produced, suitably reduces the parameter of corresponding flag bit in the service security label, so that
Cryptographic algorithm to be matched reaches the standard set by the service security label as far as possible.
The machinery of consultation of the cryptographic algorithm of data transport services in power distribution network provided by the present invention, it is adaptable in power distribution network
The negotiations process of cryptographic algorithm between any two communication equipment, for example:The control command of distribution main website to distribution terminal is transmitted
Cryptographic algorithm negotiations process involved by business, consulted with the cryptographic algorithm involved by the data forwarding business between electronic station
Journey etc..Therefore, in order to without loss of generality, according to the flow direction of data, two involved communication entities, one in step of the present invention
Referred to as data transmitting node, another is referred to as data reception node.It is noted that relating generally to two class cryptographic algorithms in distribution network
The negotiation of (Digital Signature Algorithm and DEA), for the ease of the machinery of consultation of the description present invention, only for same class
Cryptographic algorithm designs its machinery of consultation, but its thought is easy to expand to the cryptographic algorithm negotiations process of two classes and the above, these
Extension and improvement also should be regarded as protection scope of the present invention, therefore which kind of algorithm is the present invention is de-emphasized for, and abbreviation password is calculated
Method.
It should be pointed out that for those skilled in the art, before principle of the present invention is not departed from
Put, some modifications and variations can also be made.For example, the service security label and algorithm security label of the present invention are not limited to
Specific form described in the specific embodiment of this specification, and the quantity and Rule of judgment of flag bit therein is also not necessarily limited to
Quantity and Rule of judgment described in specific embodiment, and mark position is that 1 or 0 can be manually set, ability
The those of ordinary skill in domain can need to be changed according to actual technology.Further, the hair of the present invention is not being departed from
On the premise of bright design and principle, those skilled in the art is it will be appreciated that the step of claimed machinery of consultation
Rapid order is not limited to the order described in specific embodiment, but can be changed according to actual needs, these modifications
Protection scope of the present invention is each fallen within change.
Claims (10)
1. the machinery of consultation of the cryptographic algorithm of data transport services in a kind of power distribution network, it is characterised in that this method includes as follows
Step:
Step 1:The negotiation that data transmitting node sends cryptographic algorithm to data reception node is asked;
Step 2:The data reception node sends its cryptographic algorithm set S2 supported to the data transmitting node;
Step 3:The cryptographic algorithm set S1 that the data transmitting node is supported it seeks common ground to be gathered with set S2
S;
Step 4:The data transmitting node obtains the service security label that current data transmits business, the service security label
Including multiple flag bits;
Step 5:The data transmitting node judges whether set S meets wanting for the first flag bit in the service security label
Ask, if being unsatisfactory for requiring, that is, stop consulting, otherwise into step 6;
Step 6:The data transmitting node obtains the algorithm security label of each cryptographic algorithm in set S, first selection standard
Pattern, under the mode standard, according to the priority orders of multiple flag bits in the service security label in set S
Cryptographic algorithm is screened one by one, obtains matches criteria result, and whether be empty set, if not if then judging the matches criteria result
It is empty set, then takes out cryptographic algorithm therein as the cryptographic algorithm finally consulted, and be transferred to step 8;Otherwise, record screening day
Will simultaneously enters step 7, starts further matching;
Step 7:The data transmitting node is switched to compatibility mode, under the compatibility mode, the screening according to step 6 day
Will, reduces the numerical value of the flag bit of the service security label, and updates the service security label, and according to the master die
The screening mode of formula starts further screening, until the cryptographic algorithm finally consulted, and is transferred to step 8;
Step 8:The cryptographic algorithm finally consulted is sent to the data reception node by the data transmitting node, is consulted
Terminate.
2. the machinery of consultation of the cryptographic algorithm of data transport services in power distribution network according to claim 1, it is characterised in that
The service security label designates demand for security of the business to cryptographic algorithm, its form for isEmpty |
IsNationalCrypt | securityLevel | isEfficiencyPriority }, wherein, isEmpty is first mark
Will position and represent whether the business at least needs a cryptographic algorithm, isNationalCrypt is the second flag bit and represent should
Whether business has demand to the close algorithm standard rules of state, and securityLevel is the 3rd flag bit and represents the cryptographic algorithm of the business
Required safe class, isEfficiencyPriority is the 4th flag bit and represents whether the business pays the utmost attention to algorithm effect
Rate, isEmpty, isNationalCrypt, securityLevel and isEfficiencyPriority priority is passed successively
Subtract.
3. the machinery of consultation of the cryptographic algorithm of data transport services in power distribution network according to claim 2, it is characterised in that
IsEmpty, isNationalCrypt and isEfficiencyPriority represent using 0 or 1 respectively,
SecurityLevel carries out safety status classification using the span of key length.
4. the machinery of consultation of the cryptographic algorithm of data transport services in power distribution network according to claim 3, it is characterised in that
In steps of 5, when isEmpty=1 and set S are empty set, then it is unsatisfactory for the requirement.
5. the machinery of consultation of the cryptographic algorithm of data transport services in power distribution network according to claim 4, it is characterised in that
The algorithm security label designates the security attribute of the cryptographic algorithm, its form for is_national_crypt |
Security_level | efficiency_level }, wherein, is_national_crypt is the 5th flag bit and represents that this is close
Whether code algorithm is the close algorithm of state, and security_level is the 6th flag bit and represents the safe class of the cryptographic algorithm,
Efficiency_level is the 7th flag bit and represents the level of efficiency of the cryptographic algorithm.
6. the machinery of consultation of the cryptographic algorithm of data transport services in power distribution network according to claim 5, it is characterised in that
Is_national_crypt represents that security_level is carried out using the span of key length using 0 or 1
Safety status classification, the span that the cryptographic algorithm that efficiency_level evaluates and tests mechanism using authority performs speed comes boundary
It is fixed.
7. the machinery of consultation of the cryptographic algorithm of data transport services in power distribution network as claimed in claim 6, it is characterised in that
Under the mode standard, screening rule is the priority orders progress according to multiple flag bits in the service security label
Match somebody with somebody, the algorithm security label of the cryptographic algorithm in set S, set S is sieved by isNationalCrypt first
Choosing is met a sieve set of the close algorithm standard rules of state, judges whether the sieve set is empty set, if not empty set, under
The screening in one stage, otherwise records the screening daily record and is transferred to the compatibility mode;Then described one sieve set is passed through again
SecurityLevel screenings are met two sieve set of the safe class condition of the service security label requirement, then sentence
Whether the disconnected two sieves set is empty set, if not empty set, into the screening of next stage, otherwise records the screening daily record simultaneously
It is transferred to the compatibility mode;As isEfficiencyPriority=1, then to the cryptographic algorithm in described two sieve set by effect
Rate rank is ranked up, and the highest-ranking cryptographic algorithm of efficiency of selection is used as the cryptographic algorithm finally consulted;When
During isEfficiencyPriority=0, then a kind of cryptographic algorithm is randomly choosed as final negotiation from described two sieve set
Cryptographic algorithm.
8. the machinery of consultation of the cryptographic algorithm of data transport services in power distribution network as claimed in claim 7, it is characterised in that
Under the compatibility mode, the data transmitting node first determines whether whether the sieve set is empty according to the screening daily record
Collection, if empty set, illustrates that the condition of isNationalCrypt flag bit defineds is too strong, then puts isNationalCrypt
For 0, and the service security label is updated, set S is screened again according still further to the screening mode of the mode standard, if institute
It is not empty set to state a sieve set, and the two sieves collection is combined into empty set, illustrates the condition mistake of securityLevel flag bit defineds
By force, then securityLevel is reduced into a rank, and updates the service security label, reuse the mode standard
Screening mode is screened to described one sieve set, untill described two sieve set non-NULLs;Finally, further according to
IsEfficiencyPriority flag bits do last screening to described two sieve set, so that the password finally consulted is calculated
Method.
9. the machinery of consultation of the cryptographic algorithm of data transport services in power distribution network according to claim 1, it is characterised in that
It is local that the service security label and the algorithm security label are preset at equipment.
10. the machinery of consultation of the cryptographic algorithm of data transport services in power distribution network according to claim 1, its feature exists
In data transport services described in each single item all correspond to a service security label, each cryptographic algorithm to be matched
One algorithm security label of correspondence.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710385174.8A CN107302428B (en) | 2017-05-26 | 2017-05-26 | Method for negotiating cipher algorithm of data transmission service in power distribution network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710385174.8A CN107302428B (en) | 2017-05-26 | 2017-05-26 | Method for negotiating cipher algorithm of data transmission service in power distribution network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107302428A true CN107302428A (en) | 2017-10-27 |
| CN107302428B CN107302428B (en) | 2020-06-30 |
Family
ID=60137232
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710385174.8A Active CN107302428B (en) | 2017-05-26 | 2017-05-26 | Method for negotiating cipher algorithm of data transmission service in power distribution network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107302428B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109450854A (en) * | 2018-10-11 | 2019-03-08 | 珠海许继芝电网自动化有限公司 | A kind of distribution terminal communication security protection method and system |
| WO2019086973A1 (en) * | 2017-11-03 | 2019-05-09 | International Business Machines Corporation | Altering cipher and key within an established session |
| CN110300108A (en) * | 2019-06-26 | 2019-10-01 | 国网山东省电力公司临朐县供电公司 | A kind of power distribution automation message encryption transmission method, system, terminal and storage medium |
| CN115643102A (en) * | 2022-10-31 | 2023-01-24 | 西安优光谱信息科技有限公司 | Data processing method and system based on platform communication flow |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101064719A (en) * | 2006-04-27 | 2007-10-31 | 华为技术有限公司 | Cryptographic algorithm negotiating method in PON system |
| CN101162992A (en) * | 2007-09-29 | 2008-04-16 | 中国人民解放军信息工程大学 | Cipher protocol safety operation protecting method and system of tolerant intrusion |
| CN102055733A (en) * | 2009-10-30 | 2011-05-11 | 华为技术有限公司 | Method, device and system for negotiating business bearing tunnels |
| US8762741B2 (en) * | 2009-01-29 | 2014-06-24 | Microsoft Corporation | Privacy-preserving communication |
| CN104573535A (en) * | 2015-01-04 | 2015-04-29 | 深圳市中兴移动通信有限公司 | Mobile terminal, and method and device for improving encryption efficiency |
| CN104660583A (en) * | 2014-12-29 | 2015-05-27 | 国家电网公司 | Encryption service method based on Web encryption service |
| CN105530090A (en) * | 2015-12-31 | 2016-04-27 | 中国建设银行股份有限公司 | Key negotiation method and device |
| WO2017075410A1 (en) * | 2015-10-30 | 2017-05-04 | Convida Wireless, Llc | System and methods for achieving end-to-end security for hop-by-hop services |
-
2017
- 2017-05-26 CN CN201710385174.8A patent/CN107302428B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101064719A (en) * | 2006-04-27 | 2007-10-31 | 华为技术有限公司 | Cryptographic algorithm negotiating method in PON system |
| CN101162992A (en) * | 2007-09-29 | 2008-04-16 | 中国人民解放军信息工程大学 | Cipher protocol safety operation protecting method and system of tolerant intrusion |
| US8762741B2 (en) * | 2009-01-29 | 2014-06-24 | Microsoft Corporation | Privacy-preserving communication |
| CN102055733A (en) * | 2009-10-30 | 2011-05-11 | 华为技术有限公司 | Method, device and system for negotiating business bearing tunnels |
| CN104660583A (en) * | 2014-12-29 | 2015-05-27 | 国家电网公司 | Encryption service method based on Web encryption service |
| CN104573535A (en) * | 2015-01-04 | 2015-04-29 | 深圳市中兴移动通信有限公司 | Mobile terminal, and method and device for improving encryption efficiency |
| WO2017075410A1 (en) * | 2015-10-30 | 2017-05-04 | Convida Wireless, Llc | System and methods for achieving end-to-end security for hop-by-hop services |
| CN105530090A (en) * | 2015-12-31 | 2016-04-27 | 中国建设银行股份有限公司 | Key negotiation method and device |
Non-Patent Citations (1)
| Title |
|---|
| 马亚宁: "《基于EPON的配电网自动化通信系统安全机制研究》", 《中国优秀硕士学位论文全文数据库工程科技Ⅱ辑》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019086973A1 (en) * | 2017-11-03 | 2019-05-09 | International Business Machines Corporation | Altering cipher and key within an established session |
| CN111264052A (en) * | 2017-11-03 | 2020-06-09 | 国际商业机器公司 | Changing passwords and keys within an established session |
| GB2581096A (en) * | 2017-11-03 | 2020-08-05 | Ibm | Altering cipher and key within an established session |
| US10764328B2 (en) | 2017-11-03 | 2020-09-01 | International Business Machines Corporation | Altering cipher and key within an established session |
| GB2581096B (en) * | 2017-11-03 | 2022-06-22 | Ibm | Altering cipher and key within an established session |
| CN109450854A (en) * | 2018-10-11 | 2019-03-08 | 珠海许继芝电网自动化有限公司 | A kind of distribution terminal communication security protection method and system |
| CN110300108A (en) * | 2019-06-26 | 2019-10-01 | 国网山东省电力公司临朐县供电公司 | A kind of power distribution automation message encryption transmission method, system, terminal and storage medium |
| CN115643102A (en) * | 2022-10-31 | 2023-01-24 | 西安优光谱信息科技有限公司 | Data processing method and system based on platform communication flow |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107302428B (en) | 2020-06-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107302428A (en) | The machinery of consultation of the cryptographic algorithm of data transport services in a kind of power distribution network | |
| CN101197875A (en) | Partial data checking method and device | |
| US8463737B2 (en) | Realtime unification management information data conversion and monitoring apparatus and method for thereof | |
| CN106330573B (en) | FTTH-based method for automatically corresponding terminal and template | |
| CN103369667B (en) | Wireless communication system | |
| DE112005003623T5 (en) | Method for implementing an encryption and device thereof | |
| CN104700509B (en) | Encrypt the control method and system of express box | |
| KR20120087274A (en) | Emm client system, emm platform for building energy management and remote building management method | |
| CN101625649A (en) | Loading method and loading device of software | |
| Liu et al. | Asset analysis of risk assessment for iec 61850-based power control systems—part i: methodology | |
| CN107168853A (en) | A kind of server performance information acquisition method, system and substrate control manager | |
| CN111404886A (en) | Electric power metering terminal and electric power metering platform | |
| CN110245185A (en) | Data processing method, terminal device and computer storage medium based on alliance's chain | |
| CN104636900B (en) | The control method and system of highly reliable express box | |
| US20040049568A1 (en) | Extending a template of a network management system | |
| CN112260881A (en) | Data transmission method and device, electronic equipment and readable storage medium | |
| CN102841861A (en) | Data security storage device taking SD (Secure Digital Card) as communication interface and working method thereof | |
| US6119158A (en) | Method of forming multi-integrated agent system | |
| CN111163104A (en) | Network security protection system for enterprise | |
| CN109067765B (en) | Communication management method for Internet of Things security system | |
| CN110191134A (en) | Intelligent electric meter authentication method, certificate server, terminal, system and intelligent electric meter | |
| CN104408810B (en) | The distributing method of general access card and system | |
| CN108206805A (en) | vehicle message processing and sending method and device | |
| CN101242653B (en) | Access control method and device | |
| CN110266562A (en) | The method of network application system identity authentication function detected automatically |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100070 Fengtai District, Feng Feng Road, the era of wealth on the 1st floor of the world's 28 floor, Beijing Applicant after: BEIJING GUODIANTONG NETWORK TECHNOLOGY Co.,Ltd. Applicant after: STATE GRID CORPORATION OF CHINA Applicant after: RESEARCH INSTITUTE OF ECONOMICS AND TECHNOLOGY, STATE GRID SHANDONG ELECTRIC POWER Co. Applicant after: Beijing University of Posts and Telecommunications Applicant after: STATE GRID INFORMATION & TELECOMMUNICATION GROUP Co.,Ltd. Applicant after: STATE GRID SHANXI ELECTRIC POWER COMPANY INFORMATION & TELECOMMUNICATION BRANCH Address before: 100070 Fengtai District, Feng Feng Road, the era of wealth on the 1st floor of the world's 28 floor, Beijing Applicant before: BEIJING GUODIANTONG NETWORK TECHNOLOGY Co.,Ltd. Applicant before: State Grid Corporation of China Applicant before: RESEARCH INSTITUTE OF ECONOMICS AND TECHNOLOGY, STATE GRID SHANDONG ELECTRIC POWER Co. Applicant before: Beijing University of Posts and Telecommunications Applicant before: STATE GRID INFORMATION & TELECOMMUNICATION GROUP Co.,Ltd. Applicant before: STATE GRID SHANXI ELECTRIC POWER COMPANY INFORMATION & TELECOMMUNICATION BRANCH |
|
| CB02 | Change of applicant information | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20190723 Address after: 100085 Beijing city Haidian District Qinghe small Camp Road No. 15 Applicant after: BEIJING CHINA POWER INFORMATION TECHNOLOGY Co.,Ltd. Applicant after: STATE GRID CORPORATION OF CHINA Applicant after: RESEARCH INSTITUTE OF ECONOMICS AND TECHNOLOGY, STATE GRID SHANDONG ELECTRIC POWER Co. Applicant after: Beijing University of Posts and Telecommunications Applicant after: STATE GRID INFORMATION & TELECOMMUNICATION GROUP Co.,Ltd. Applicant after: STATE GRID SHANXI ELECTRIC POWER COMPANY INFORMATION & TELECOMMUNICATION BRANCH Address before: 100070 Fengtai District, Feng Feng Road, the era of wealth on the 1st floor of the world's 28 floor, Beijing Applicant before: BEIJING GUODIANTONG NETWORK TECHNOLOGY Co.,Ltd. Applicant before: STATE GRID CORPORATION OF CHINA Applicant before: RESEARCH INSTITUTE OF ECONOMICS AND TECHNOLOGY, STATE GRID SHANDONG ELECTRIC POWER Co. Applicant before: Beijing University of Posts and Telecommunications Applicant before: STATE GRID INFORMATION & TELECOMMUNICATION GROUP Co.,Ltd. Applicant before: STATE GRID SHANXI ELECTRIC POWER COMPANY INFORMATION & TELECOMMUNICATION BRANCH |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |